[#2618] Update settings + docs for django-setup-configuration

maykinmedia · Oct 17, 2024 · 637151c · 637151c
1 parent 46841b9
commit 637151c
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 143 deletions.
diff --git a/docs/configuration/admin_oidc.rst b/docs/configuration/admin_oidc.rst
@@ -36,7 +36,6 @@ All settings:
     ADMIN_OIDC_DEFAULT_GROUPS
     ADMIN_OIDC_GROUPS_CLAIM
     ADMIN_OIDC_MAKE_USERS_STAFF
-    ADMIN_OIDC_OIDC_EXEMPT_URLS
     ADMIN_OIDC_OIDC_NONCE_SIZE
     ADMIN_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
     ADMIN_OIDC_OIDC_OP_DISCOVERY_ENDPOINT
@@ -65,12 +64,12 @@ Detailed Information
     Setting             claim mapping
     Description         Mapping from user-model fields to OIDC claims
     Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {'email': 'email', 'first_name': 'given_name', 'last_name': 'family_name'}
+    Default value       {'email': ['email'], 'first_name': ['given_name'], 'last_name': ['family_name']}
     
     Variable            ADMIN_OIDC_GROUPS_CLAIM
     Setting             groups claim
     Description         The name of the OIDC claim that holds the values to map to local user groups.
-    Possible values     string
+    Possible values     No information available
     Default value       roles
     
     Variable            ADMIN_OIDC_MAKE_USERS_STAFF
@@ -79,12 +78,6 @@ Detailed Information
     Possible values     True, False
     Default value       False
     
-    Variable            ADMIN_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     string, comma-delimited ('foo,bar,baz')
-    Default value       
-    
     Variable            ADMIN_OIDC_OIDC_NONCE_SIZE
     Setting             Nonce size
     Description         Sets the length of the random string used for OpenID Connect nonce verification
@@ -190,5 +183,5 @@ Detailed Information
     Variable            ADMIN_OIDC_USERNAME_CLAIM
     Setting             username claim
     Description         The name of the OIDC claim that is used as the username
-    Possible values     string
+    Possible values     No information available
     Default value       sub
diff --git a/docs/configuration/digid_oidc.rst b/docs/configuration/digid_oidc.rst
@@ -31,10 +31,8 @@ All settings:
 
 ::
 
+    DIGID_OIDC_BSN_CLAIM
     DIGID_OIDC_ENABLED
-    DIGID_OIDC_ERROR_MESSAGE_MAPPING
-    DIGID_OIDC_IDENTIFIER_CLAIM_NAME
-    DIGID_OIDC_OIDC_EXEMPT_URLS
     DIGID_OIDC_OIDC_KEYCLOAK_IDP_HINT
     DIGID_OIDC_OIDC_NONCE_SIZE
     DIGID_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
@@ -57,30 +55,18 @@ Detailed Information
 
 ::
 
+    Variable            DIGID_OIDC_BSN_CLAIM
+    Setting             BSN-claim
+    Description         Naam van de claim die het BSN bevat van de ingelogde gebruiker.
+    Possible values     No information available
+    Default value       bsn
+    
     Variable            DIGID_OIDC_ENABLED
     Setting             inschakelen
-    Description         Geeft aan of OpenID Connect voor authenticatie/autorisatie is ingeschakeld. Deze overschrijft het gebruik van SAML voor DigiD-authenticatie.
+    Description         Indicates whether OpenID Connect for authentication/authorization is enabled
     Possible values     True, False
     Default value       False
     
-    Variable            DIGID_OIDC_ERROR_MESSAGE_MAPPING
-    Setting             Foutmelding mapping
-    Description         Mapping die de door de identiteitsprovider geretourneerde foutmeldingen, omzet in leesbare meldingen die aan de gebruiker worden getoond
-    Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {}
-    
-    Variable            DIGID_OIDC_IDENTIFIER_CLAIM_NAME
-    Setting             BSN claim naam
-    Description         De naam van de claim waarin het BSN nummer van de gebruiker is opgeslagen
-    Possible values     string
-    Default value       bsn
-    
-    Variable            DIGID_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     No information available
-    Default value       
-    
     Variable            DIGID_OIDC_OIDC_KEYCLOAK_IDP_HINT
     Setting             Keycloak-identiteitsprovider hint
     Description         Specifiek voor Keycloak: parameter die aangeeft welke identiteitsprovider gebruikt moet worden (inlogscherm van Keycloak overslaan).
@@ -149,7 +135,7 @@ Detailed Information
     
     Variable            DIGID_OIDC_OIDC_RP_SCOPES_LIST
     Setting             OpenID Connect scopes
-    Description         OpenID Connect-scopes die worden bevraagd tijdens het inloggen. Deze zijn hardcoded en moeten worden ondersteund door de identiteitsprovider.
+    Description         OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider.
     Possible values     No information available
     Default value       openid, bsn
     

diff --git a/docs/configuration/eherkenning_oidc.rst b/docs/configuration/eherkenning_oidc.rst
@@ -32,9 +32,7 @@ All settings:
 ::
 
     EHERKENNING_OIDC_ENABLED
-    EHERKENNING_OIDC_ERROR_MESSAGE_MAPPING
-    EHERKENNING_OIDC_IDENTIFIER_CLAIM_NAME
-    EHERKENNING_OIDC_OIDC_EXEMPT_URLS
+    EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM
     EHERKENNING_OIDC_OIDC_KEYCLOAK_IDP_HINT
     EHERKENNING_OIDC_OIDC_NONCE_SIZE
     EHERKENNING_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT
@@ -59,27 +57,15 @@ Detailed Information
 
     Variable            EHERKENNING_OIDC_ENABLED
     Setting             inschakelen
-    Description         Geeft aan of OpenID Connect voor authenticatie/autorisatie is ingeschakeld. Deze heeft voorrang op het gebruik van SAML voor eHerkenning-authenticatie.
+    Description         Indicates whether OpenID Connect for authentication/authorization is enabled
     Possible values     True, False
     Default value       False
     
-    Variable            EHERKENNING_OIDC_ERROR_MESSAGE_MAPPING
-    Setting             Foutmelding mapping
-    Description         Mapping die de door de identiteitsprovider geretourneerde foutmeldingen, omzet in leesbare meldingen die aan de gebruiker worden getoond
-    Possible values     Mapping: {'some_key': 'Some value'}
-    Default value       {}
-    
-    Variable            EHERKENNING_OIDC_IDENTIFIER_CLAIM_NAME
-    Setting             KVK claim naam
-    Description         De naam van de claim waarin het KVK nummer van de gebruiker is opgeslagen
-    Possible values     string
-    Default value       kvk
-    
-    Variable            EHERKENNING_OIDC_OIDC_EXEMPT_URLS
-    Setting             URLs exempt from session renewal
-    Description         This is a list of absolute url paths, regular expressions for url paths, or Django view names. This plus the mozilla-django-oidc urls are exempted from the session renewal by the SessionRefresh middleware.
-    Possible values     string, comma-delimited ('foo,bar,baz')
-    Default value       
+    Variable            EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM
+    Setting             bedrijfsidenticatie-claim
+    Description         Naam van de claim die de identificatie van het ingelogde/vertegenwoordigde bedrijf bevat.
+    Possible values     No information available
+    Default value       urn:etoegang:core:LegalSubjectID
     
     Variable            EHERKENNING_OIDC_OIDC_KEYCLOAK_IDP_HINT
     Setting             Keycloak-identiteitsprovider hint
@@ -149,7 +135,7 @@ Detailed Information
     
     Variable            EHERKENNING_OIDC_OIDC_RP_SCOPES_LIST
     Setting             OpenID Connect scopes
-    Description         OpenID Connect-scopes die worden bevraagd tijdens het inloggen. Deze zijn hardcoded en moeten worden ondersteund door de identiteitsprovider.
+    Description         OpenID Connect scopes that are requested during login. These scopes are hardcoded and must be supported by the identity provider.
     Possible values     string, comma-delimited ('foo,bar,baz')
     Default value       openid, kvk
     

diff --git a/docs/configuration/eherkenning_saml.rst b/docs/configuration/eherkenning_saml.rst
@@ -134,7 +134,7 @@ Detailed Information
     
     Variable            EHERKENNING_SAML_EH_LOA
     Setting             eHerkenning LoA
-    Description         Level of Assurance (LoA) to use for the eHerkenning service.
+    Description         Betrouwbaarheidsniveau (LoA) voor de eHerkenningservice.
     Possible values     urn:etoegang:core:assurance-class:loa1, urn:etoegang:core:assurance-class:loa2, urn:etoegang:core:assurance-class:loa2plus, urn:etoegang:core:assurance-class:loa3, urn:etoegang:core:assurance-class:loa4
     Default value       urn:etoegang:core:assurance-class:loa3
     
@@ -164,7 +164,7 @@ Detailed Information
     
     Variable            EHERKENNING_SAML_EIDAS_LOA
     Setting             eIDAS LoA
-    Description         Level of Assurance (LoA) to use for the eIDAS service.
+    Description         Betrouwbaarheidsniveau (LoA) voor de eIDAS-service.
     Possible values     urn:etoegang:core:assurance-class:loa1, urn:etoegang:core:assurance-class:loa2, urn:etoegang:core:assurance-class:loa2plus, urn:etoegang:core:assurance-class:loa3, urn:etoegang:core:assurance-class:loa4
     Default value       urn:etoegang:core:assurance-class:loa3
     

diff --git a/src/open_inwoner/configurations/bootstrap/auth.py b/src/open_inwoner/configurations/bootstrap/auth.py
@@ -9,26 +9,45 @@
     EherkenningConfigurationAdmin,
 )
 from digid_eherkenning.models import DigidConfiguration, EherkenningConfiguration
+from digid_eherkenning.oidc.admin import admin_modelform_factory
+from django_jsonform.forms.fields import JSONFormField
 from django_setup_configuration.config_settings import ConfigSettings
 from django_setup_configuration.configuration import BaseConfigurationStep
 from django_setup_configuration.exceptions import ConfigurationRunFailed
 from mozilla_django_oidc_db.forms import OpenIDConnectConfigForm
 from mozilla_django_oidc_db.models import OpenIDConnectConfig
 from simple_certmanager.models import Certificate
 
-from digid_eherkenning_oidc_generics.admin import (
-    OpenIDConnectDigiDConfigForm,
-    OpenIDConnectEHerkenningConfigForm,
-)
-from digid_eherkenning_oidc_generics.models import (
-    OpenIDConnectDigiDConfig,
-    OpenIDConnectEHerkenningConfig,
-)
+from open_inwoner.accounts.models import OpenIDDigiDConfig, OpenIDEHerkenningConfig
 from open_inwoner.configurations.models import SiteConfiguration
 
 from .utils import convert_setting_to_model_field_name, log_form_errors
 
 
+class LOAValueMappingField(JSONFormField):
+    def to_python(self, value):
+        value = super().to_python(value)
+        # super class treats [] as empty (not wrong), but converts it to None, which
+        # doesn't pass the schema validation
+        if value is None:
+            value = []
+        return value
+
+
+def formfield_callback(model_field, **kwargs):
+    if model_field.name == "loa_value_mapping":
+        kwargs["form_class"] = LOAValueMappingField
+    return model_field.formfield(**kwargs)
+
+
+OpenIDDigiDConfigForm = admin_modelform_factory(
+    OpenIDDigiDConfig, formfield_callback=formfield_callback
+)
+OpenIDEHerkenningConfigForm = admin_modelform_factory(
+    OpenIDEHerkenningConfig, formfield_callback=formfield_callback
+)
+
+
 #
 # DigiD OIDC
 #
@@ -41,16 +60,14 @@ class DigiDOIDCConfigurationStep(BaseConfigurationStep):
     config_settings = ConfigSettings(
         enable_setting="DIGID_OIDC_CONFIG_ENABLE",
         namespace="DIGID_OIDC",
-        models=[OpenIDConnectDigiDConfig],
+        models=[OpenIDDigiDConfig],
         required_settings=[
             "DIGID_OIDC_OIDC_RP_CLIENT_ID",
             "DIGID_OIDC_OIDC_RP_CLIENT_SECRET",
         ],
         optional_settings=[
             "DIGID_OIDC_ENABLED",
-            "DIGID_OIDC_ERROR_MESSAGE_MAPPING",
-            "DIGID_OIDC_IDENTIFIER_CLAIM_NAME",
-            "DIGID_OIDC_OIDC_EXEMPT_URLS",
+            "DIGID_OIDC_BSN_CLAIM",
             "DIGID_OIDC_OIDC_KEYCLOAK_IDP_HINT",
             "DIGID_OIDC_OIDC_NONCE_SIZE",
             "DIGID_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT",
@@ -72,18 +89,18 @@ def is_enabled(self):
         return getattr(settings, self.config_settings.enable_setting, False)
 
     def is_configured(self) -> bool:
-        return OpenIDConnectDigiDConfig.get_solo().enabled
+        return OpenIDDigiDConfig.get_solo().enabled
 
     def configure(self):
         if not self.is_enabled():
             return
 
-        config = OpenIDConnectDigiDConfig.get_solo()
+        config = OpenIDDigiDConfig.get_solo()
 
         # Use the model defaults
         form_data = {
             field.name: getattr(config, field.name)
-            for field in OpenIDConnectDigiDConfig._meta.fields
+            for field in OpenIDDigiDConfig._meta.fields
         }
 
         # Only override field values with settings if they are defined
@@ -101,12 +118,8 @@ def configure(self):
 
         form_data["enabled"] = True
 
-        # Saving the form with the default error_message_mapping `{}` causes the save to fail
-        if not form_data["error_message_mapping"]:
-            del form_data["error_message_mapping"]
-
         # Use the admin form to apply validation and fetch URLs from the discovery endpoint
-        form = OpenIDConnectDigiDConfigForm(data=form_data)
+        form = OpenIDDigiDConfigForm(data=form_data)
         if not form.is_valid():
             raise ConfigurationRunFailed(
                 f"Something went wrong while saving configuration: {form.errors}"
@@ -133,15 +146,15 @@ class eHerkenningOIDCConfigurationStep(BaseConfigurationStep):
     config_settings = ConfigSettings(
         enable_setting="EHERKENNING_OIDC_CONFIG_ENABLE",
         namespace="EHERKENNING_OIDC",
-        models=[OpenIDConnectEHerkenningConfig],
+        models=[OpenIDEHerkenningConfig],
         update_fields=True,
         required_settings=[
             "EHERKENNING_OIDC_OIDC_RP_CLIENT_ID",
             "EHERKENNING_OIDC_OIDC_RP_CLIENT_SECRET",
         ],
         optional_settings=[
             "EHERKENNING_OIDC_ENABLED",
-            "EHERKENNING_OIDC_IDENTIFIER_CLAIM_NAME",
+            "EHERKENNING_OIDC_LEGAL_SUBJECT_CLAIM",
             "EHERKENNING_OIDC_OIDC_RP_SCOPES_LIST",
             "EHERKENNING_OIDC_OIDC_RP_SIGN_ALGO",
             "EHERKENNING_OIDC_OIDC_RP_IDP_SIGN_KEY",
@@ -152,28 +165,26 @@ class eHerkenningOIDCConfigurationStep(BaseConfigurationStep):
             "EHERKENNING_OIDC_OIDC_OP_USER_ENDPOINT",
             "EHERKENNING_OIDC_OIDC_OP_LOGOUT_ENDPOINT",
             "EHERKENNING_OIDC_USERINFO_CLAIMS_SOURCE",
-            "EHERKENNING_OIDC_ERROR_MESSAGE_MAPPING",
             "EHERKENNING_OIDC_OIDC_KEYCLOAK_IDP_HINT",
             "EHERKENNING_OIDC_OIDC_USE_NONCE",
             "EHERKENNING_OIDC_OIDC_NONCE_SIZE",
             "EHERKENNING_OIDC_OIDC_STATE_SIZE",
-            "EHERKENNING_OIDC_OIDC_EXEMPT_URLS",
         ],
     )
 
     def is_configured(self) -> bool:
-        return OpenIDConnectEHerkenningConfig.get_solo().enabled
+        return OpenIDEHerkenningConfig.get_solo().enabled
 
     def configure(self):
         if not getattr(settings, self.config_settings.enable_setting, None):
             return
 
-        config = OpenIDConnectEHerkenningConfig.get_solo()
+        config = OpenIDEHerkenningConfig.get_solo()
 
         # Use the model defaults
         form_data = {
             field.name: getattr(config, field.name)
-            for field in OpenIDConnectEHerkenningConfig._meta.fields
+            for field in OpenIDEHerkenningConfig._meta.fields
         }
 
         # Only override field values with settings if they are defined
@@ -191,12 +202,8 @@ def configure(self):
 
         form_data["enabled"] = True
 
-        # Saving the form with the default error_message_mapping `{}` causes the save to fail
-        if not form_data["error_message_mapping"]:
-            del form_data["error_message_mapping"]
-
         # Use the admin form to apply validation and fetch URLs from the discovery endpoint
-        form = OpenIDConnectEHerkenningConfigForm(data=form_data)
+        form = OpenIDEHerkenningConfigForm(data=form_data)
         if not form.is_valid():
             raise ConfigurationRunFailed(
                 f"Something went wrong while saving configuration: {form.errors}"
@@ -235,7 +242,6 @@ class AdminOIDCConfigurationStep(BaseConfigurationStep):
             "ADMIN_OIDC_CLAIM_MAPPING",
             "ADMIN_OIDC_GROUPS_CLAIM",
             "ADMIN_OIDC_MAKE_USERS_STAFF",
-            "ADMIN_OIDC_OIDC_EXEMPT_URLS",
             "ADMIN_OIDC_OIDC_NONCE_SIZE",
             "ADMIN_OIDC_OIDC_OP_AUTHORIZATION_ENDPOINT",
             "ADMIN_OIDC_OIDC_OP_DISCOVERY_ENDPOINT",